| Pieter Baauw | 06da4df | 2013-05-11 08:00:53 +0200 | [diff] [blame] | 1 | # |
| 2 | # This is an example of how to configure HAProxy to be used as a 'full transparent proxy' for a single backend server. |
| 3 | # |
| 4 | # Note that to actually make this work extra firewall/nat rules are required. |
| 5 | # Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 you can check if this is the case with "haproxy -vv". |
| 6 | # |
| 7 | |
| 8 | global |
| Willy Tarreau | 29e7aca | 2015-10-13 15:46:50 +0200 | [diff] [blame] | 9 | defaults |
| 10 | timeout client 30s |
| 11 | timeout server 30s |
| 12 | timeout connect 30s |
| 13 | |
| Pieter Baauw | 06da4df | 2013-05-11 08:00:53 +0200 | [diff] [blame] | 14 | frontend MyFrontend |
| 15 | bind 192.168.1.22:80 |
| 16 | default_backend TransparentBack_http |
| 17 | |
| 18 | backend TransparentBack_http |
| 19 | mode http |
| 20 | source 0.0.0.0 usesrc client |
| 21 | server MyWebServer 192.168.0.40:80 |
| 22 | |
| 23 | # |
| 24 | # To create the the nat rules perform the following: |
| 25 | # |
| 26 | # ### (FreeBSD 8) ### |
| 27 | # --- Step 1 --- |
| 28 | # ipfw is needed to get 'reply traffic' back to the HAProxy process, this can be achieved by configuring a rule like this: |
| 29 | # fwd localhost tcp from 192.168.0.40 80 to any in recv em0 |
| 30 | # |
| 31 | # The following would be even better but this did not seam to work on the pfSense2.1 distribution of FreeBSD 8.3: |
| 32 | # fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid} |
| 33 | # |
| Ilya Shipitsin | 47d1718 | 2020-06-21 21:42:57 +0500 | [diff] [blame] | 34 | # If only 'pf' is currently used some additional steps are needed to load and configure ipfw: |
| Pieter Baauw | 06da4df | 2013-05-11 08:00:53 +0200 | [diff] [blame] | 35 | # You need to configure this to always run on startup: |
| 36 | # |
| 37 | # /sbin/kldload ipfw |
| 38 | # /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf" |
| 39 | # /sbin/sysctl net.link.ether.ipfw=1 |
| 40 | # ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0 |
| 41 | # |
| Joseph Herlant | 63c23f3 | 2018-11-13 20:01:24 -0800 | [diff] [blame] | 42 | # the above does the following: |
| Ilya Shipitsin | 47d1718 | 2020-06-21 21:42:57 +0500 | [diff] [blame] | 43 | # - load the ipfw kernel module |
| Pieter Baauw | 06da4df | 2013-05-11 08:00:53 +0200 | [diff] [blame] | 44 | # - set pf as the outer firewall to keep control of routing packets for example to route them to a non-default gateway |
| 45 | # - enable ipfw |
| Joseph Herlant | 63c23f3 | 2018-11-13 20:01:24 -0800 | [diff] [blame] | 46 | # - set a rule to catches reply traffic on em0 coming from the webserver |
| Pieter Baauw | 06da4df | 2013-05-11 08:00:53 +0200 | [diff] [blame] | 47 | # |
| 48 | # --- Step 2 --- |
| Ilya Shipitsin | 47d1718 | 2020-06-21 21:42:57 +0500 | [diff] [blame] | 49 | # To also make the client connection transparent its possible to redirect incoming requests to HAProxy with a pf rule: |
| Pieter Baauw | 06da4df | 2013-05-11 08:00:53 +0200 | [diff] [blame] | 50 | # rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22 |
| 51 | # here em1 is the interface that faces the clients, and traffic that is originally send straight to the webserver is redirected to HAProxy |
| 52 | # |
| 53 | # ### (FreeBSD 9) (OpenBSD 4.4) ### |
| 54 | # pf supports "divert-reply" which is probably better suited for the job above then ipfw.. |
| 55 | # |